ETSITS142 009v4.o.o 



(2001-03) 



Technical Specification 



Digital cellular telecommunications system (Phase 2+); 

Security aspects 
(3GPP TS 42.009 version 4.0.0 Release 4) 



33i# 



gsei: 

GLOBAL SYSTEM FOR 
MOBILE COMMUNICATIONS 





3GPP TS 42.009 version 4.0.0 Release 4 1 ETSI TS 142 009 V4.0.0 (2001-03) 



Reference 



RTS/TSGS-0342009Uv4 
Keywords 



GSM 



ETSI 

650 Route des Lucioles 
F-06921 Sophia Antipolis Cedex - FRANCE 

Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 

Siret N°348 623 562 00017 - NAF 742 C 
Association a but non lucratif enregistree a la 
Sous-Prefecture de Grasse (06) N° 7803/88 



Important notice 
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The present document may be made available in more than one electronic version or in print. In any case of existing or 

perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). 

In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive 

within ETSI Secretariat. 

Users of the present document should be aware that the document may be subject to revision or change of status. 
Information on the current status of this and other ETSI documents is available at http://www. etsi . o rq/tb/status/ 

If you find errors in the present document, send your comment to: 
editor@etsi.fr 

Copyright Notification 

No part may be reproduced except as authorized by written permission. 
The copyright and the foregoing restriction extend to reproduction in all media. 

© European Telecommunications Standards Institute 2001 . 
All rights reserved. 
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Foreword 

This Technical Specification (TS) has been produced by the ETSI 3 ld Generation Partnership Project (3GPP). 

The present document may refer to technical specifications or reports using their 3GPP identities, UMTS identities or 
GSM identities. These should be interpreted as being references to the corresponding ETSI deliverables. 

The cross reference between GSM, UMTS, 3GPP and ETSI identities can be found under www.etsi.org/key . 
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Foreword 



id , 



This Technical Specification has been produced by the 3 Generation Partnership Project (3GPP). 

The contents of the present document are subject to continuing work within the TSG and may change following formal 
TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an 
identifying change of release date and an increase in version number as follows: 

Version x.y.z 

where: 

x the first digit: 

1 presented to TSG for information; 

2 presented to TSG for approval; 

3 or greater indicates TSG approved document under change control. 

y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, 
updates, etc. 

z the third digit is incremented when editorial only changes have been incorporated in the document. 
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Scope 



Bearer and Teleservices, as respectively defined in GSM 02.02 and GSM 02.03, are the objects which the GSM PLMN 
operators offer to their customers. Besides these basic telecommunications services, features which aim at up-grading 
these basic services need also to be offered. Due to the use of radiocommunications in a PLMN, which are of a special 
nature compared to classical distribution transmission techniques used in the fixed networks, such a category of features 
is related to security aspects. 

In a GSM PLMN, both the users and the network operator have to be protected against undesirable intrusion of third 
parties. However, measures should be provided for in order to insure maximum protection of the rights of the 
individuals concerns. As a consequence, a security feature is either a supplementary service to Tele or Bearer services, 
which can be selected by the subscriber, or a network function involved in the provision of one or several 
telecommunication services. 

The purpose of the present document is to define the security features which are to be available in a GSM PLMN, 
together with the associated levels of protection. The present document is only concerned with those security features 
which aim at the up-grading of the security in a GSM PLMN. In particular, end-to-end security is outside the scope of 
the present document. 

The implementation aspects of security features are described in GSM 03.20. 

1.1 References 

The following documents contain provisions which, through reference in this text, constitute provisions of the present 
document. 

• References are either specific (identified by date of publication, edition number, version number, etc.) or 
non-specific. 

• For a specific reference, subsequent revisions do not apply. 

• For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including 
a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same 
Release as the present document. 

[1] GSM 01.04: "Digital cellular telecommunications system (Phase 2+); Abbreviations and 

acronyms". 

[2] GSM 02.02: "Digital cellular telecommunications system (Phase 2+); Bearer Services (BS) 

supported by a GSM Public Land Mobile Network (PLMN)". 

[3] GSM 02.03: "Digital cellular telecommunications system (Phase 2+); Teleservices supported by a 

GSM Public Land Mobile Network (PLMN) " . 

[4] GSM 03.20: "Digital cellular telecommunications system (Phase 2+); Security related network 

functions". 

[5] GSM 11.11: "Digital cellular telecommunications system (Phase 2+); Specification of the 

Subscriber Identity Module - Mobile Equipment (SIM - ME) interface". 

1 .2 Abbreviations 

Abbreviations used in the present document are listed in GSM 01.04. 



2 General 

The use of radiocommunications for transmission to the mobile subscribers makes PLMNs particularly sensitive to: 
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misuse of their resources by unauthorized persons using manipulated Mobile Stations, who try to impersonate 
authorized subscribers; and 

eavesdropping of the various information which are exchanged on the radio path. 

It can be seen that PLMNs intrinsically do not provide the same level of protection to their operators and subscribers as 
the traditional telecommunication networks provide. This fact leads to the need to implement security features in a 
GSM PLMN in order to protect: 

i) the access to the mobile services; 

ii) any relevant item from being disclosed at the radio path, mainly in order to ensure the privacy of user-related 
information. 

Two levels of protection are therefore assumed: 

where security features are provided, as defined in clause 3, the level of protection at the radio path of the 
corresponding items is as good as the level of protection provided in the fixed networks; 

where no special provision is made, the level of protection at the radio path is null. All items which are not dealt 
with in clause 3 are therefore considered to need no protection. 



3 Security features provided in a GSM PLMN 

The following security features are considered: 

subscriber identity (IMSI) confidentiality; 

subscriber identity (IMSI) authentication; 

user data confidentiality on physical connections; 

connectionless user data confidentiality; 

signalling information element confidentiality. 

The implementation of these five security features is mandatory on both the fixed infrastructure side and the MS side. 
This means that all GSM PLMNs and all MSs shall be able to support every security feature. Use of these five security 
features is at the discretion of the operator for its own subscribers while on the HPLMN. For roaming subscribers, use 
of these five security features is mandatory unless otherwise agreed by all the affected PLMN operators (see also 
subclause 3.3.3). 

3.1 Subscriber identity confidentiality 

3.1.1 Definition 

The subscriber identity confidentiality feature is the property that the IMSI is not made available or disclosed to 
unauthorized individuals, entities or processes. 

3.1.2 Purpose 

This feature provides for the privacy of the identities of the subscribers who are using GSM PLMN resources (e.g. a 
traffic channel or any signalling means). It allows for the improvement of all other security features (e.g. user data 
confidentiality) and provides for the protection against tracing the location of a mobile subscriber by listening to the 
signalling exchanges on the radio path. 
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3.1.3 Functional requirements 

This feature necessitates the confidentiality of the subscriber identity (IMSI) when it is transferred in signalling 
messages (see subclause 3.5) together with specific measures to preclude the possibility to derive it indirectly from 
listening to specific information, such as addresses, at the radio path. 

The means used to identify a mobile subscriber on the radio path consists of a local number called Temporary Mobile 
Subscriber Identity (TMSI), described in GSM 03.20. 

When used, the subscriber identity confidentiality feature shall apply for all signalling sequences on the radio path. 
However, in the case of location register failure, or in case the MS has no TMSI available, open identification is 
allowed on the radio path. 

3.2 Subscriber identity authentication 
3.2.1 Definition 

International Mobile Subscriber identity (IMSI) authentication is the corroboration by the land-based part of the system 
that the subscriber identity (IMSI or TMSI), transferred by the mobile subscriber within the identification procedure at 
the radio path, is the one claimed. 



3.2.2 Purpose 



The purpose of this authentication security feature is to protect the network against unauthorized use. It enables also the 
protection of the GSM PLMN subscribers by denying the possibility for intruders to impersonate authorized users. 



3.2.3 Functional requirements 



The authentication of the GSM PLMN subscriber identity may be triggered by the network when the subscriber applies 
for: 

a change of subscriber-related information element in the VLR or HLR (including some or all of: location 
updating involving change of VLR, registration or erasure of a supplementary service); or 

an access to a service (including some or all of: set-up of mobile originating or terminated calls, activation or 
deactivation of a supplementary service); or 

first network access after restart of MSC/VLR; 

or in the event of cipher key sequence number mismatch. 

Physical security means must be provided to preclude the possibility to obtain sufficient information to impersonate or 
duplicate a subscriber in a GSM PLMN, in particular by deriving sensitive information from the mobile station 
equipment. 

If, on an access request to the GSM PLMN, the subscriber identity authentication procedure fails and this failure is not 
due to network malfunction, then the access to the GSM PLMN shall be denied to the requesting party. 

3.2.4 Authentication during a malfunction of the network 

If an MS is registered and has been successfully authenticated, whether active or not active on a call, calls are permitted 
(including continuation and hand-over). 

If an MS has already been registered (and therefore been already authenticated) and can not be successfully 
reauthenticated due to the network malfunction (e.g. the HPLMN was not able to provide authentication pairs RAND, 
SRES), calls are permitted. 

If an MS attempts to register and can not be successfully authenticated due to the network malfunction, calls are not 
permitted. 



ETSI 



3GPP TS 42.009 version 4.0.0 Release 4 8 ETSI TS 1 42 009 V4.0.0 (2001 -03) 

If the MS is not registered, or ceases to be registered, a new registration need to be performed, and the preceding cases 
apply. 

3.3 User data confidentiality on physical connections (Voice 
and Non-voice) 

3.3.1 Definition 

The user data confidentiality feature on physical connections is the property that the user information exchanged on 
traffic channels is not made available or disclosed to unauthorized individuals, entities or processes. 

3.3.2 Purpose 

The purpose of this feature is to ensure the privacy of the user information on traffic channels. 

3.3.3 Functional requirements 

Encryption will normally be applied to all voice and non-voice communications. Although a standard algorithm will 
normally be employed, it is permissible for the mobile station and/or PLMN infrastructure to support more than one 
algorithm. In this case, the infrastructure is responsible for deciding which algorithm to use (including the possibility 
not to use encryption, in which case confidentiality is not applied). 

When necessary, the MS shall signal to the network indicating which of up to seven ciphering algorithms it supports. 
The serving network then selects one of these that it can support (based on an order of priority preset in the network), 
and signals this to the MS. The selected algorithm is then used by the MS and network. The network shall not provide 
service to an MS which indicates that it does not support any of the ciphering algorithm(s) required by GSM 02.07. 

The ME has to check if the user data confidentiality is switched on using one of the seven algorithms as defined in 
GSM 02.07. In the event that the ME detects that this is not the case, or ceases to be the case (e.g. during handover), 
then an indication is given to the user. 

This ciphering indicator feature may be disabled by the SIM (see GSM 11.11). 

In case the SIM does not support the feature that disables the ciphering indicator, then the ciphering indicator feature in 
the ME shall be enabled by default. 

The nature of the indicator and the trigger points for its activation are for the ME manufacturer to decide. 

During the establishment of a call the trigger point shall be at call initiation at the latest. In the case of handover the 
trigger point shall be the completion of handover at the latest. 

The manufacturer may provide the means to enable the user to temporarily disable the feature. This should be done in 
such a way that the user can protect it from misuse. 

3.4 Connectionless user data confidentiality 

3.4.1 Definition 

The connectionless user data confidentiality feature is the property that the user information which is transferred in a 
connectionless packet mode over a signalling channel is not made available or disclosed to unauthorized individuals, 
entities or processes. 

3.4.2 Purpose 

The purpose of this feature is to ensure the privacy of the user information on signalling channels (e.g. short messages). 
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3.4.3 Functional requirements 

NOTE: Protection of connectionless user data is not applicable to SMS Cell Broadcast. 

3.5 Signalling information element confidentiality 

3.5.1 Definition 

The signalling information element confidentiality feature is the property that a given piece of signalling information 
which is exchanged between MSs and base stations is not made available or disclosed to unauthorized individuals, 
entities or processes. 

3.5.2 Purpose 

The purpose of this feature is to ensure the privacy of users related signalling elements. 

3.5.3 Functional requirements 

When used, this feature applies on selected fields of signalling messages which are exchanged between MSs and base 
stations. 

The signalling information elements included in the message used to establish the connection (protocol discriminator, 
connection reference, message type and MS identity (IMSI, TMSI or IMEI according to the circumstance)) are not 
protected. 

The following signalling information elements related to the user are protected whenever used after connection 
establishment: 

International Mobile Equipment Identity (IMEI). 

- International Mobile Subscriber Identity (IMSI). 

Calling subscriber directory number (mobile terminating calls). 

Called subscriber directory number (mobile originated calls). 

The IMSI is stored securely within the SIM. 

The IMEI shall not be changed after the ME's final production process. It shall resist tampering, i.e. manipulation and 
change, by any means (e.g. physical, electrical and software). 

NOTE: This requirement is valid for new GSM Phase 2 and Release 96, 97, 98 and 99 MEs type approved after 
1 st June 2002. 

The security policy for the Software Version Number (SVN) is such that it cannot be readily changed by the user, but 
can be updated with changes to the software. The security of the SVN shall be separate from that of the IMEI. 
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